Although Abracadabra’s protocol defenses had been strengthened following prior incidents, the decentralized lending platform suffered another significant breach on October 4, 2025, when attackers exploited a logic flaw in deprecated Cauldron V4 contracts to drain approximately 1.79 million MIM (roughly $1.8 million), converting the assets through Curve and Uniswap and laundering proceeds via Tornado Cash; the exploit leveraged the multi-action `cook()` function—specifically a state-reset between Action 5 (borrow) and Action 0—that allowed under-collateralized borrowing by bypassing the intended solvency check. The incident represents the third major breach in two years for Abracadabra, following a $6.5 million exploit in January 2024 and a $13 million flash-loan attack in March 2025, and it underscores persistent weaknesses in the protocol’s contract lifecycle management and auditing practices. Technical analysis indicates the attacker manipulated the `cook()` routine in Cauldron V4, which aggregates multiple operations within a single transaction. Action 5, responsible for initiating borrowing, set a flag requiring a subsequent solvency assessment; however, an ensuing Action 0 reset that flag, effectively cancelling the check and permitting borrowing that exceeded collateral constraints. The flaw is best characterized as a state-management bug, where critical protocol variables were unexpectedly reinitialized during a compound operation, and its exploitation was facilitated by deprecated contracts that remained active and had not undergone recent security reviews. Contract audits are crucial in identifying such vulnerabilities before they can be exploited, highlighting the importance of regular contract audit frequency. Financial consequences were material but contained; roughly 1.79 million MIM was removed and converted to ETH before being funneled through Tornado Cash, with reports indicating about 395 ETH were involved in laundering. Market reaction was immediate, with MIM trading volume falling nearly 17% in the short term. Abracadabra’s decentralized organization responded by patching the vulnerability, disabling deprecated functionality, and repurchasing the stolen MIM from open markets to preserve the stablecoin peg and reassure users that protocol liabilities would be covered. The recurrence of breaches, often involving bypassed solvency or collateral checks, raises questions about governance around contract deprecation, audit cadence, and risk controls. While the rapid remediation and treasury intervention limited direct user losses, the pattern of repeated exploits suggests that deeper operational and security reforms remain necessary to restore long-term confidence. Additionally, on-chain analysis confirmed that the attacker initially funded the exploit via Tornado Cash. Major causes include a shared-status logic flaw in the cook() implementation that allowed the attacker to alternate actions and bypass solvency checks.
